Consumers snub security notifications

A recent study of 9,200 consumers showed 11% received notifications from companies informing of security breaches affecting them. Of that slice, 39% thought the notification was spam or junk mail, and 5% retained lawyers.

These are some of the findings of a survey published last week on data security-breach notification, conducted by the Ponemon Institute and sponsored by law firm White & Case. Now that almost half of the states have statutes enforcing notification from a company or government body when a security breach has happened, organizations need to know how to effectively notify consumers whose information might have been stolen to help prevent further damage, says David Bender, co-chairman of White & Case's global privacy practice.

"Anyone who has to give notification can learn a fair amount by looking at the survey results that tell what types of notification can be least likely to cost them customers and result in lawsuits," Bender says. Indeed, 58% of respondents say the breach decreased their sense of trust and confidence in the notifying organization, while 19% say they discontinued their relationship with the organization following the breach.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A recent study of 9,200 consumers showed 11% received notifications from companies informing of security breaches affecting them. Of that slice, 39% thought the notification was spam or junk mail, and 5% retained lawyers.

These are some of the findings of a survey published last week on data security-breach notification, conducted by the Ponemon Institute and sponsored by law firm White & Case. Now that almost half of the states have statutes enforcing notification from a company or government body when a security breach has happened, organizations need to know how to effectively notify consumers whose information might have been stolen to help prevent further damage, says David Bender, co-chairman of White & Case's global privacy practice.

"Anyone who has to give notification can learn a fair amount by looking at the survey results that tell what types of notification can be least likely to cost them customers and result in lawsuits," Bender says. Indeed, 58% of respondents say the breach decreased their sense of trust and confidence in the notifying organization, while 19% say they discontinued their relationship with the organization following the breach.

While notification is the law in many states, there are ways to approach the process that can help rebuild consumer faith in the organization; 61% of respondents say the message contained in the notice was honest and believable. But companies have room for improvement when it comes to drafting these notices.

"Many consumers are dissatisfied by these notifications, because they came too late, or there weren't enough facts, or they contained misstatements," Bender says. "They have to be comprehensible, state the facts, and be accurate and timely." For example, a company shouldn't use the term "encryption" without defining it. (Of the 22% of respondents who know what encryption means, only 5% say the notifying company maintained their information was encrypted.)

The most effective means of informing consumers of a breach is a personal letter followed up with a phone call, Bender says.

An interesting finding was that 5% of respondents say they are retaining lawyers following notification, considering that most state statutes don't allow individuals to take action against notifying organizations.

"That doesn't mean you can't try it anyway," Bender says.

The Identity Theft Resource Center puts the number of consumers notified of a security breach at 56.2 million, more than double that of the Ponemon Institute's extrapolated 23 million.

The institute says this discrepancy could be from duplicate notifications sent to the same person.

Read more about security in Network World's Security section.